North Korea hacked almost 900 South Korean foreign policy experts, sought ransom

North Korea carried out cyberattacks on at least 892 foreign policy experts from South Korea to steal their personal data and email lists as well as carrying out ransomware attacks against online malls, according to the National Police Agency. The South Korean authorities said on Sunday that the attacks were meticulous enough to have tricked some of the victims into signing into fake websites, exposing their login details to the attackers.

The attacks, mainly targeting think tank experts and professors, began as early as last April, the agency said. The hackers sent spear phishing emails from multiple accounts posing as figures in South Korea, including a secretary from the office of Tae Yong-ho of the ruling People Power Party (PPP) in May, and an official from the Korea National Diplomatic Academy in October. The emails included a link to a fake website or an attachment carrying a virus that is triggered when opened.

Forty-nine of the recipients ended up visiting the fake websites and logging in, allowing the hackers to infiltrate and monitor their email accounts and download data from them, the agency said.

The police said that the hackers laundered their IP addresses and employed 326 “detour” servers in 26 countries to make it difficult to trace them online.

The police suspect that the hackers are the same group that hacked Korea Hydro & Nuclear Power in 2014. The authorities pointed to the IP addresses indicating the origin of attack, the hackers’ attempts to coax their targets into signing up for foreign websites, how the hackers infiltrated and managed the detour servers, the hackers’ use of North Korean diction, as well as the fact the hackers targeted experts of diplomacy, inter-Korean unification, national security and defence as reasons to believe so. The police mentioned they investigated a North Korean hacking group called Kimsuky numerous times.

The police also said this year was also the first time they detected North Korean hackers using ransomware, which encrypts the files of the target device and demands a ransom for unlocking them. Apart from sending emails to the foreign policy experts, the hackers attacked shopping malls with cybersecurity vulnerability. Nineteen servers operated by 13 companies were hit; two of the companies paid the ransom of 2.5 million won (US$1,980) worth of bitcoin to the group.

North Korea hackers use Halloween crush to target South Koreans with malware

Lee Gyu-bong, chief of the police agency’s counter cyber terror bureau, said that the bureau has been tracking the email addresses from which the spear phishing mails were sent as well as inspecting the bitcoin exchange market overseas.

The police suspect that North Korean hackers’ activities will continue for some time and urged people to increase security for their email accounts and other personal databases.

In a press conference last Thursday, the National Intelligence Service (NIS) also predicted Pyongyang’s cyberattacks to continue next year. Forecasting potential threats to the country’s cybersecurity in 2023, Paik Jong-wook, one of the deputy presidents of the NIS, said that state-backed hackers like those from North Korea and China will continue their attacks on Seoul to steal South Korean technologies related to the nuclear industry, space, semiconductors, national defence and joint strategies with the US against Pyongyang.

“North Korean hackers might use deepfakes to produce and spread fake videos online as propaganda against Seoul, just like how Ukrainian President [Volodymyr] Zelensyy was portrayed in a fake video surrendering to Russia in the early phase of the ongoing war,” Paik said. “We consider smartphones, computers and other personal devices of the president and ministers primary targets to protect from those hackers.”

Paik said North Korean hackers are trained to have the world’s top capabilities to infiltrate virtual assets like digital coins. He assumed Pyongyang has stolen some 1.5 trillion won (US$1.72 billion) in cryptocurrency around the world since 2017, including 80 million won (US$65,000) this year alone, and more than 10 million won (US$7,800) from South Korea.

“There were an average of 1.18 million attempted cyberattacks by organised hackers from across the world against the South Korean government per day last month,” Paik said. “It’s become an old tale that this volume of online attacks can be prevented singularly by the government.”

The NIS on November 30 introduced a new cybersecurity cooperation centre so that the government and private cybersecurity providers can work jointly to protect against cyberattacks around the clock.